three sigma logo
M0Labs

Code Audit

M0Labs

A decentralized research and development lab focused on blockchain innovation.

Audit Report

Blockchain security isn't optional.

Protect your smart contracts and DeFi protocols with Three Sigma, a trusted security partner in blockchain audits, smart contract vulnerability assessments, and Web3 security.

Get a Quote Today

Introduction

M^0 Labs is building a decentralized framework for the permissionless minting of on-chain currencies, governed by decentralized institutions. At the core of the system lies the $M token—a digital representation of value designed to inherit the minimal risk profile of physical cash while offering the efficiency of programmable money.

Why Did They Need an Audit?

M^0's contracts coordinate sensitive economic mechanisms such as collateral verification via validators, dynamic mint rate enforcement, token inflation through governance voting, and auction-based token distribution. Failure in any of these areas could lead to infinite minting, unauthorized access to vaults, or denial of service (DoS) on key governance functions. The M^0 team engaged Three Sigma for a comprehensive 8 person-week audit ahead of mainnet deployment.

image

Audit Date: 2024-01-08

Language: Solidity

Type: Code Audit

Results and Findings

Key High-Severity Issues

Missing deadline in Dutch auction buy leads to MEV risk

  • Description: PowerToken.buy() lacked a deadline parameter, exposing buyers to significant losses via delayed execution of stale transactions at higher prices in future auctions. Mempool-pending transactions could be bundled by ZeroToken holders, extracting disproportionate value.
  • Resolution: Deadline parameter added and enforced via timestamp check.

Validator signatures with zero timestamps are replayable indefinitely

  • Description: If all validator signatures had timestamp zero, the update logic treated the timestamp as block.timestamp, allowing unlimited re-use of old signatures. This opened a path for a minter to misrepresent real-world collateral and mint $M backed by non-existent reserves.
  • Resolution: Protocol now rejects any signature with a zero timestamp.

Notable Medium-Severity Issues

Total principal invariant in MToken can be silently broken

  • Description: An unchecked addition in _addEarningAmount() could overflow principalOfTotalEarningSupply, especially when different rates are used across minting contracts. This overflow could persist until a safe cast fails in mint, but not always.
  • Resolution: Now uses checked math to avoid silent overflows.

Timestamps with higher-than-minimum values reusable in validator consensus

  • Description: A validator signature with a future timestamp could be re-used in multiple calls, as only the minimum of all timestamps is enforced. This could delay penalization or mislead the system about recency.
  • Resolution: Acknowledged. Future fix may flag digests or limit deviation among timestamps.

Severity Issues

critical
high

2

informational

Several

medium

2

low

11

Audit Period

8 PW

Report

In conclusion

Three Sigma performed a full-stack security review of M^0 Labs’ 2,927-line protocol, encompassing governance, validator signature verification, inflationary supply logic, and collateral-backed stablecoin minting. While no critical vulnerabilities were discovered, we identified two high-severity bugs that could be exploited by mempool relaying and signature replay. These were fully addressed. The M^0 system displays solid design fundamentals and is supported by extensive testing and modularity, though continued monitoring and validator behavior assumptions should remain a core focus post-launch.

Secure Your Crypto Project Before It’s Too Late. Get in Touch Today.

Get a Quote Today